I use the engine-analysis flag in my validation of my ruleset, but it seems like any rules with warnings create a invalid json object in rules.json. I see it has been fixed in 7.0.0-dev (I use the jasonish/suricata docker image and the master there has fixed it), but it is still present in the 6.0.3 image, which is created from 6.0.3 release.
Is it possible to backport fixes to the 6.0-branch?
I tested with ET rule 2017746 in test.rules, and the following command in both the docker image of master and of 6.0.3: suricata -c /etc/suricata/suricata.yaml -S ./test.rules -i eth0 -T --init-errors-fatal --engine-analysis
And this was the resulting rules.json in 6.0.3, with the missing closing square bracket in the warnings key:
{"raw":"alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET MALWARE Trojan-Downloader Win32.Genome.AV\"; flow:to_server,established; urilen:10; flowbits:set,et.GENOME.AV; http.method; content:\"GET\"; http.uri; content:\"/other.txt\"; fast_pattern; http.header; content:\"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)\"; http.header_names; content:!\"Referer|0d 0a|\"; content:!\"Accept|0d 0a|\"; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:4; metadata:created_at 2013_11_25, updated_at 2020_04_27;)\r","id":2017746,"gid":1,"rev":4,"msg":"ET MALWARE Trojan-Downloader Win32.Genome.AV","app_proto":"http","requirements":["flow"],"flags":["sp_any","dp_any","applayer","toserver","prefilter"],"pkt_engines":[{"name":"packet","is_mpm":false}],"engines":[{"name":"http_uri","direction":"toserver","is_mpm":true,"app_proto":"http","progress":1,"matches":[{"name":"urilen"},{"name":"content","content":{"pattern":"/other.txt","nocase":false,"negated":false,"starts_with":false,"ends_with":false,"is_mpm":true,"fast_pattern":true}}]},{"name":"http_method","direction":"toserver","is_mpm":false,"app_proto":"http","progress":1,"matches":[{"name":"content","content":{"pattern":"GET","nocase":false,"negated":false,"starts_with":false,"ends_with":false,"is_mpm":false,"fast_pattern":false}}]},{"name":"http_header","direction":"toserver","is_mpm":false,"app_proto":"http","progress":2,"matches":[{"name":"content","content":{"pattern":"User-Agent: NSIS_Inetc (Mozilla)","nocase":false,"negated":false,"starts_with":false,"ends_with":false,"is_mpm":false,"fast_pattern":false}}]},{"name":"http_header_names","direction":"toserver","is_mpm":false,"app_proto":"http","progress":2,"matches":[{"name":"content","content":{"pattern":"Referer\r\n","nocase":false,"negated":true,"starts_with":false,"ends_with":false,"is_mpm":false,"fast_pattern":false}},{"name":"content","content":{"pattern":"Accept\r\n","nocase":false,"negated":true,"starts_with":false,"ends_with":false,"is_mpm":false,"fast_pattern":false}}]}],"lists":{"packet":{"matches":[{"name":"flow"}]},"post-match":{"matches":[{"name":"flowbits"}]}},"warnings":["pattern looks like it inspects HTTP, use http_user_agent or http_header for improved performance"}